37 lines
755 B
Text
37 lines
755 B
Text
|
import "pe"
|
||
|
|
||
|
rule M_APT_Downloader_BOOMMIC {
|
||
|
|
||
|
meta:
|
||
|
|
||
|
author = "Mandiant"
|
||
|
|
||
|
description = "Rule looking for BOOMMIC malware"
|
||
|
|
||
|
reference = "https://www.mandiant.com/resources/tracking-apt29-phishing-campaigns"
|
||
|
|
||
|
|
||
|
strings:
|
||
|
|
||
|
$loc_10001000 = { 55 8B EC 8D 45 0C 50 8B 4D 08 51 6A 02 FF 15 [4] 85 C0 74 09 B8 01 00 00 00 EB 04 EB 02 33 C0 5D C3 }
|
||
|
|
||
|
$loc_100012fd = {6A 00 8D 55 EC 52 8B 45 D4 50 6A 05 8B 4D E4 51 FF 15 }
|
||
|
|
||
|
$func1 = "GetComputerNameExA" ascii
|
||
|
|
||
|
$func2 = "HttpQueryInfoA" ascii
|
||
|
|
||
|
condition:
|
||
|
|
||
|
uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550 and filesize < 1MB and
|
||
|
|
||
|
(
|
||
|
|
||
|
($loc_10001000 and $func1) or
|
||
|
|
||
|
($loc_100012fd and $func2)
|
||
|
|
||
|
)
|
||
|
|
||
|
}
|